9f2bdf2e6bfb7f02420ba15d3987f12cf0d024d130a7f3aea6f69d2e628ee61f

General

Target

9f2bdf2e6bfb7f02420ba15d3987f12cf0d024d130a7f3aea6f69d2e628ee61f.exe
Size

73KB
MD5

7afc2565a64699f44344be7dcba04fdf
SHA1

48d18d377e7052e901fa84f7c01aeef85e176ab8
SHA256

9f2bdf2e6bfb7f02420ba15d3987f12cf0d024d130a7f3aea6f69d2e628ee61f
SHA512

6be05523c8e938086e0c894c4f5ebeda4c1304833abfa7f3e6303c9d5ede42990299382a59bfcdb9700b0b2f45d85e130a23a22cad6753f721e0c07fdf303951
SSDEEP

1536:GZpcHolACEPdkvTvNja5ukGSZsnu2gwoX2tJVblN7JPyDwpAJ9NUEuTK:GZp+4AHkTQ7GSSg2ZD7JPcyAJD

Score

7^/10

evasion trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9f2bdf2e6bfb7f02420ba15d3987f12cf0d024d130a7f3aea6f69d2e628ee61f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9f2bdf2e6bfb7f02420ba15d3987f12cf0d024d130a7f3aea6f69d2e628ee61f.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

9f2bdf2e6bfb7f02420ba15d3987f12cf0d024d130a7f3aea6f69d2e628ee61f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9f2bdf2e6bfb7f02420ba15d3987f12cf0d024d130a7f3aea6f69d2e628ee61f.exe

Drops file in Windows directory 1 IoCs

Processes:

9f2bdf2e6bfb7f02420ba15d3987f12cf0d024d130a7f3aea6f69d2e628ee61f.exe

description ioc process

File created C:\Windows\inf\machinez.inf 9f2bdf2e6bfb7f02420ba15d3987f12cf0d024d130a7f3aea6f69d2e628ee61f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\inf\machinez.inf	9f2bdf2e6bfb7f02420ba15d3987f12cf0d024d130a7f3aea6f69d2e628ee61f.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4063fd5750ffd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "958104475"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998352"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998352"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998352"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998352"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5E1530D2-6B43-11ED-89AC-4A8324823CC0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "958104475"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375982250"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1078416288"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c007a64e50ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045a39a05ba6dac41906d3067c3035b6c000000000200000000001066000000010000200000003d80b384215819553314b8021dea7e30cab7a39a4977368543b9767ffe40cdb2000000000e8000000002000020000000dd2e49a56b07702321c8521969c182e78cf1241453fd22038db4fc100c1bf0e8200000006cf583512add2bc603b50289cb01b38b2ba4e33b1144d8b025751419a5690cc440000000640b70a3ee397ca8be8c7ff946dd03251d41c630f93a8be726729b82d96d51cf02f8e2285d39f35d7ec22885548ee5688aed7862c93182c4382ba9ffb36d6968	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1078416288"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045a39a05ba6dac41906d3067c3035b6c000000000200000000001066000000010000200000003697c02cfc47e3409d381c3573a7a2841e0ae9345617f6e50404fbf246baa962000000000e80000000020000200000008376c9314c2163afd52aae62ad110e3fb6ec0b398591e02c002945e771adbe512000000020a629cd9dd72b504e97e37bae83decbcfbcdb1452d24379677635d00f8ac1364000000035b32ab74f96961b65ff6a704bdd023f43e7d7b292b5ad191f88dc9634804c82bd4c892fe90632dbc46dcfb13d266b2d791818984f539f5b460ae48c42ba3beb	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1556 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1556 iexplore.exe
1556 iexplore.exe
4560 IEXPLORE.EXE
4560 IEXPLORE.EXE
4560 IEXPLORE.EXE
4560 IEXPLORE.EXE

pid	process
1556	iexplore.exe

pid	process
1556	iexplore.exe
1556	iexplore.exe
4560	IEXPLORE.EXE
4560	IEXPLORE.EXE
4560	IEXPLORE.EXE
4560	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

9f2bdf2e6bfb7f02420ba15d3987f12cf0d024d130a7f3aea6f69d2e628ee61f.exeiexplore.exe

description	pid	process	target process
PID 4180 wrote to memory of 1556	4180	9f2bdf2e6bfb7f02420ba15d3987f12cf0d024d130a7f3aea6f69d2e628ee61f.exe	iexplore.exe
PID 4180 wrote to memory of 1556	4180	9f2bdf2e6bfb7f02420ba15d3987f12cf0d024d130a7f3aea6f69d2e628ee61f.exe	iexplore.exe
PID 1556 wrote to memory of 4560	1556	iexplore.exe	IEXPLORE.EXE
PID 1556 wrote to memory of 4560	1556	iexplore.exe	IEXPLORE.EXE
PID 1556 wrote to memory of 4560	1556	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\9f2bdf2e6bfb7f02420ba15d3987f12cf0d024d130a7f3aea6f69d2e628ee61f.exe
"C:\Users\Admin\AppData\Local\Temp\9f2bdf2e6bfb7f02420ba15d3987f12cf0d024d130a7f3aea6f69d2e628ee61f.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4180

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.belasmensagens.com.br/amizade/amizade-para-o-infinito-2394.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1556 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
f739b394d30d392d8eb28922bf5a7e12

SHA1
78124ad341a0e03ecbb7660011409767e6678fef

SHA256
4fff638b8a8f8004eb7a6f5d71ba702373ece50bbe85f499d00d09e7c86dc543

SHA512
48cf40407485d1a22f728220a64dc15e85cf051a44104019efa868cc7fccdefcfea2169eea8fb72be819a8c67892aeee72fd22deca31b8bfbd3f8018e55e215f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
232B

MD5
6d3e32f5a545e69d1158eb14d31a080a

SHA1
0dde89733ec76d40dfa2e0e63e82159d26f95165

SHA256
6b5e44e517a27e69a1de59a1060cc69d8fce58052cace3c1815442b1f2c77f72

SHA512
2470c2cf2919b242d44fa173d66fa2ba590a78b495c4530f5d9253525e89da8eba6c5af1d20d41219a1d6b4b6e36736560367c9dd6f2fbc55929c91988c29356

Download Submit
memory/4180-132-0x0000000000010000-0x000000000005F000-memory.dmp

Filesize
316KB

Download
memory/4180-133-0x0000000000010000-0x000000000005F000-memory.dmp

Filesize
316KB

Download
memory/4180-136-0x0000000000010000-0x000000000005F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads